New Jersey Association of Mental Health and Addiction Agencies

September 8, 2020

Virtual Conference October 21, 2020 Features Expert with Critical Advice

While the healthcare industry is expected to spend $65 billion from 2017 to 2021 on cybersecurity products, many hospitals will continue to be at risk of cyberattacks, which will cause damages that could cost as much as $6 trillion by next year. This is a significant increase from $3 trillion in 2015, according to an April 2020 report by Cybersecurity Ventures. The following statistics back up these predictions: The healthcare industry endured two to three times more cyberattacks in 2019 compared to other industries, and healthcare data breaches affected more than 41 million patient records last year, which equals a 196% increase from 2018.

"The amount of sensitive information held by healthcare organizations makes them more appealing to attackers and, therefore, more vulnerable," explained Daniel Eliot, Director of Education & Strategic Initiatives at the National Cyber Security Alliance. He added that the increased reliance on telemedicine raises additional security risks. "Connections should be secure and encrypted. From a small healthcare facility to the largest hospital, all are at the top of the list of targets," he stressed.

"There is a lack of investment in cybersecurity as a whole, whether it's not hiring qualified staff or not seeking information technology [IT] security vendors. One challenge of cybersecurity is that it's not as tangible as fire, flood and other threats. You can't see it and it sneaks up on you quickly," Eliot said.

To help organizations understand cybersecurity, make the best investments to reduce risk of cyberattacks and mitigate the impact of any invasions that may occur, Eliot will deliver the keynote presentation, Converting Awareness into Action: It Begins with Culture, during the New Jersey Association of Mental Health and Addiction Agencies' (NJAMHAA's) IT Project's conference, No Fooling: IT is Critical!, which will be held virtually on October 21, 2020.

According to Eliot, when companies invest in cybersecurity, there is often a misalignment of funding. "Many organizations spend a lot on technology, such as firewalls and virtual private networks, and believe they'll be secure. We underestimate the human elements and the need for
training. Once cybercriminals get past a firewall, employees click on harmful links in e-mails," he said, emphasizing that three elements are critical for having better security: employees who are well trained, solid processes and effective technology.

June Noto, NJAMHAA's Vice President of Information Technology, Human Resources and Administrative Services, reinforced the importance of training. "Education is the singular most important tool that any employer can implement. Sure, there are firewalls and routers, and anti-virus and anti-malware software, but nothing, except education and awareness, can protect end users from scammers," she said.

However, training and education are just part of the picture. The focus on cybersecurity needs to be integral to every organization's culture.

"Cybersecurity is a resilience-based topic, and these topics are not as sexy as generating leads or getting more customers or capital. Organizations tend to think of risk and resilience only one time a year or when something happens and they have to address it. Reducing risk and building resilience need to be part of every organization's culture," Eliot stated.

To further reinforce the importance of employee training and buy-in, Eliot stated, "It's not always malicious actors who bring threats to healthcare organizations. Sometimes, it's internal actors who make mistakes, for example, accidentally sending patient records to the wrong recipients. This happens a lot in health care. Organizations need to reduce risks inside their organizations, which are present in potential mistakes, as well as disgruntled employees and contractors."

Please visit www.njamhaa.org/events for links to details and online registration for the conference, No Fooling: IT is Critical!, which will be held virtually on October 21, 2020.

"When it comes to culture, compliance with laws, regulations and industry standards doesn't mean security, and employees' awareness doesn't necessarily mean they'll care," Eliot warned. During his presentation, he will explain how to develop and implement awareness campaigns that motivate individuals to help reduce risk. "Every employee has a role in protecting the enterprise. Everyone must be equipped with knowledge, tools and resources to do that," he stressed.